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MEASURING EFFECTIVENESS 
Ils Your Security Strategy Sound? 


BY PAUL A. STRASSMANN 


No matter how much money you throw at securing your systems, there’s no guarantee that they are 100% secure. 
Nonetheless, there are indicators that you can examine to determine if your information security approach is on track 
or needs to be overhauled. The tool below is aimed at helping you make three key comparisons: your information 
security costs vs. total |.T. spending, loss of employee time vs. security costs, and loss of employee productivity. 


INSTRUCTIONS: Fill in your organization's numbers in the right-hand column, and follow the calculations described in 
the middle column. You can download an interactive version from our Premium Tools Site at Go.BASELINEMAG.COM/NOVO6. 


Tool: How to Measure Your Security Investments 


BASICS EXAMPLE YOUR COMPANY 


Number of employees 1,000 
Average annual salary, fully loaded $75,000 
Average hourly salary, fully loaded (assumes 1,500 hours per year) $50 
INFORMATION SECURITY COSTS 
Total I.T. spending $18,500,000 
Share of I.T. spending on information security 2% 
Total information security spending by I.T. ( D x E ) $370,000 
DENIAL-OF-SERVICE ATTACKS ON SERVERS—USER COSTS 
Incidents per year 6 
+ Average duration of downtime, in minutes 60 
I Time spent while system reboots, in minutes 15 
-| _ Time spent on recovery of lost work, in minutes 60 
““_ Time spent running backup and file integrity check, in minutes 90 
! — Total minutes of user downtime (A x G x (H+1+J+K)) 1,350,000 
‘| Percentage of user total work time dependent on servers 30% 
“| Total user cost (L x Mx C + 60) $337,500 
VIRUS AND WORM ATTACKS ON CLIENTS—USER COSTS 
| Incidents per year 12 
~ Average duration of downtime, in minutes \'5) 
“) — Time spent on system reboot, in minutes 15 
} Time spent on recovery of work, in minutes 30 
= Time spent running scans for viruses, spyware, etc., in minutes a) 
Total minutes of user downtime (A x Ox (P+Q+R+S)) 900,000 
‘Percentage of user total work time dependent on personal computers 50% 
‘ Total user cost (T x U x C + 60) $375,000 
INFORMATION SECURITY INDICATORS 
Total info security costs + Total |.T. spending ((F+N+V)+D) 
> WHAT THIS MEANS: If this ratio exceeds 10%, your business architecture 5.9% 
S is not designed to cope with attackers. Go back to the drawing board. 
ia Loss of employee time + I.T. costs for info security ((N+V)+F) 
= WHAT THIS MEANS: If employee downtime costs exceed security invest- 193% 
= ments by 200% or more, your security strategy needs remediation. 
7 Loss of employee productivity ((N +V) +(A~xB)) 
a WHAT THIS MEANS: If cyberattacks are responsible for a 1% loss 1.0% 
a or more in employee productivity, your I.T. operations are a drag 
2 on the business. Take steps to improve security. 
a 
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